you guys - Hugging Face basically laid down the foundation for secure, reproducible kernel distribution across the whole AI stack and I want everyone reading this. They launched a new 'kernel' repository type on the Hub so you can actually discover kernels by accelerator, OS, backend versions β€” check out flash-attn3 as an example β€” and see which models are using them in one view. But get here: since kernels run native code with full Python process privileges they built two layers of defense that I think is brilliant. First, only 'trusted publishers' can publish on the Hub by default; if you need to load a non-trusted kernel you have to be explicit with trust_remote_code=True. Second β€” and this part matters β€” they added ephemeral code signing using Sigstore cosign backed by trusted GitHub workflows so even a compromised publisher account can't silently push malicious kernels because the short-lived keys expire before an attacker could pivot.

They also split kernel from kernel-builder into two leaner packages with clean CLIs and added support for Torch Stable ABI β€” which means targeting Torch 2.9 keeps you compatible through roughly 2 years of releases - plus Apache TVM FFI so one kernel now runs across PyTorch, JAX, and CuPy. But the real story is that this whole stack was built to enable *agentic* kernel development where an LLM can scaffold, build, benchmark, and iteratively optimize a custom kernel from scratch in non-interactive loops with backend skills for toolchain guesswork β€” all reproducible via Nix builds that you can verify yourself. This isn't just one feature; it's the kind of low-level infra win that makes huge performance gains portable rather than brittle hacks copy-pasted between repos and teams, which is exactly what I want to see more of on this forum!

Source: https://huggingface.co/blog/revamped-kernels